When managing AWS WAF resources using Terraform, one common issue is exceeding the Web ACL Capacity Units (WCUs) limit, which can lead to deployment failures. This blog post will guide you through understanding WCUs, checking capacity using AWS CLI, and integrating this process into your Terraform workflow to ensure smooth deployments.
Understanding WCUs in AWS WAF
AWS WAF uses Web ACL Capacity Units (WCUs) to measure the resources required to run rules, rule groups, and Web ACLs. Each rule type has a different capacity requirement based on its complexity and processing needs. The capacity limits help AWS manage the performance and cost of running WAF rules efficiently.
- Simple Rules: Require fewer WCUs (e.g., size constraint rules).
- Complex Rules: Require more WCUs (e.g., regex pattern sets).
For detailed WCU calculations, refer to the AWS WAF documentation oai_citation:1,AWS WAF web ACL capacity units (WCUs) - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced.
Common Error
When you exceed the WCU limits, you may encounter the following error:
WAFInvalidParameterException: Error reason: You exceeded the capacity limit for a rule group or web ACL.
Checking WCU Requirements with AWS CLI
Terraform lacks built-in functionality to check WCUs before applying configurations. However, AWS CLI provides a check-capacity command to verify the WCU requirements. Here’s how you can use it:
-
Define WAF Rules in JSON:
Create a JSON file (
rules.json) with the rules you want to include:
{
"Rules": [
{
"Name": "Rule1",
"Priority": 1,
"Statement": {
"ByteMatchStatement": {
"SearchString": "BadBot",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
"Action": {
"Block": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "Rule1Metric"
}
}
]
}
-
Run the
check-capacityCommand: Use the AWS CLI to check the capacity:
aws wafv2 check-capacity --scope REGIONAL --rules file://rules.json
The output will look like this:
{
"Capacity": 15
}
This command returns the total WCU requirement for your specified rules. Ensure it doesn't exceed 5,000 WCUs for a single Web ACL.
Integrating Capacity Check with Terraform
To avoid deployment failures due to WCU limits, integrate the capacity check into your Terraform workflow using a shell script:
-
Create a Shell Script:
Write a script (
check_capacity.sh) to perform the capacity check:
#!/bin/bash
CAPACITY=$(aws wafv2 check-capacity --scope REGIONAL --rules file://rules.json | jq '.Capacity')
if [ "$CAPACITY" -gt 5000 ]; then
echo "Error: Capacity units exceeded. Current capacity: $CAPACITY"
exit 1
else
echo "Capacity check passed. Current capacity: $CAPACITY"
export TERRAFORM_CAPACITY_CHECK=passed
fi
- Integrate with Terraform: Modify your Terraform workflow to include the script:
./check_capacity.sh
if [ "$TERRAFORM_CAPACITY_CHECK" == "passed" ]; then
terraform apply
else
echo "Terraform apply aborted due to capacity issues."
fi
By incorporating this script, you ensure that your Terraform deployments only proceed if the WCU requirements are within limits, preventing potential failures and downtime.
Conclusion
Handling WCU limits is crucial for successful AWS WAF deployments using Terraform. By leveraging the check-capacity command in AWS CLI and integrating it into your Terraform workflow, you can proactively manage capacity and avoid deployment issues. This approach ensures a smoother, more reliable infrastructure management process especially until terraform starts to support a similar built-in functionality.
For further reading, check the official AWS WAF documentation on WCUs and the AWS CLI check-capacity command reference.
Top comments (2)
Thanks for the write up, much appreciated.
Question: After rules.json has been validated with
aws wafv2 check-capacity, how can we use it in our terraform script as a definition for waf rules?If this is not possible, what workflow would you recommend?
Heya, if I am getting your question write. You're trying to use the same
rules.jsonto actually define and setup the rule in your.tffile.At the moment, this is not possible and this is where the redundancy comes in. You have to first write the aws api accepted format in
rules.jsonand then you have to repeat that and write the terraform accepted format for yourrule/rule_group.Ideally, terraform should be able to fetch the needed capacity (which would omit the extra step of drafting
rules.jsonto see the needed capacity). This open issue interraform-aws-provideris trying to do that.